Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://github.com/jaw187/node-traceroute/tags

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

https://snyk.io/vuln/npm:traceroute:20160311

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.npmjs.com/advisories/1465

https://www.npmjs.com/package/traceroute

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

Related Vulnerabilities

CVE-2016-1000338 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2023-26920 Vulnerability in npm package fast-xml-parser

CVE-2020-28434 Vulnerability in npm package gitblame

CVE-2007-4556 Vulnerability in maven package opensymphony:xwork

CVE-2020-13445 Vulnerability in maven package com.liferay:com.liferay.portal.template.freemarker

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit Product